[cap-talk] David Wagner's Google techtalk is now up!

James A. Donald jamesd at echeque.com
Wed Dec 12 22:28:05 EST 2007 

Sandro Magi wrote:
 > What definition of safety are you using?

And that is indeed the problem.

The sort of things a language can guarantee is that
functions are only entered at their proper entry points,
that data is only subjected to the appropriate
operations for that kind of data - we don't get string
data written over the return stack.

That stops a lot of bugs that hostile outsiders could
take advantage of.

The ability to restrict operations to only those
operations that are appropriate to that kind of data has
interesting implications when that data is a data
representation of a capability, and access to that data
correspondingly restricted.

But to make a C that was safe against such operations,
one would have to give up pointers - which is radically
incompatible with all existing C code, requiring a total
rewrite of an enormous body of fine code. Existing
languages that are safe against such operations run
slowly, and tend to suck up a lot of computing power -
compare Java programs with their C equivalents.

If a safe desktop were rewritten in something like Java,
the resulting desktop would likely be unappealing to
consumers.

Maybe something that ran faster than Java could be
created if it gave up  on Java's automatic garbage
collection, or provided a greater role for programmer
garbage collection, but in place of C pointers and
indices, had operations like "For each x in Y, do ....",
"while x is in Y",  "next x in Y", "while Y not empty
pop x from Y", with the compiler only allowing
operations on x that do to x what is permissible to do
with a member of Y when the code accessing x is inside
a code construct that guarantees x to be a member of Y.

Instead of the compiler automatically constructing a run
time check on each reference to x to make sure x is
inside array bounds, as in C safe arrays, the compiler
could demand the programmer can only reference x inside
code that the compiler can know is inside array bounds.

Because we have a vast amount of C and C++ code, I would
like to see a safe almost C++ language, such that most
existing code could be almost automatically translated
to a safe but comparably efficient language.  Java just
seems a bit too fascist for me, but maybe anything that
is safe, is innately a bit fascist.

More information about the cap-talk mailing list